From 7dc85e1513cfc6ab7208fbda699257d14fb9676d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 19:21:30 +0530 Subject: [PATCH 1/3] Update ts-bitlocker-tpm-issues.md --- .../bitlocker/ts-bitlocker-tpm-issues.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md index 9e19de9f72..d9f36860e7 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md @@ -18,7 +18,7 @@ ms.custom: bitlocker # BitLocker and TPM: other known issues -This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues. +This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues. ## Azure AD: Windows Hello for Business and single sign-on do not work @@ -52,21 +52,21 @@ Additionally, the behavior indicates that the client computer cannot obtain a [P ### Resolution -To verify the status of the PRT, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication. +To verify the status of the PRT, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This indicates that the computer could not present its certificate for authentication. To resolve this issue, follow these steps to troubleshoot the TPM: -1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box. -1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions. -1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. -1. Contact the hardware vendor to determine whether there is a known fix for the issue. -1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm). +1. Select **Start**, and enter **tpm.msc** in the **Search** box to open the TPM management console (tpm.msc). +2. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions. +3. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. +4. Contact the hardware vendor to determine whether there is a known fix for the issue. +5. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm). > [!WARNING] > Clearing the TPM can cause data loss. ## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use -You have a Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following: +You have a Windows 10, version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following: > Loading the management console failed. The device that is required by the cryptographic provider is not ready for use. > HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY @@ -89,12 +89,12 @@ If this does not resolve the issue, consider replacing the device motherboard. A You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail. -To verify that the join succeeded, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded: +To verify whether the join operation succeeded, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join operation succeeded: - **AzureAdJoined: YES** - **DomainName: \<*on-prem Domain name*\>** -If the value of **AzureADJoined** is **No**, the join failed. +If the value of **AzureADJoined** is **No**, the join operation failed. ### Causes and Resolutions From 89710dc7e7a3009482c46ce2fe8a27b136267a12 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:09:01 +0530 Subject: [PATCH 2/3] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From 7b5ddd7592b259a9cdc0f8f2a26742d5e5b7de80 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Thu, 12 May 2022 12:09:12 +0530 Subject: [PATCH 3/3] fixed acrolinx issues --- .../bitlocker/ts-bitlocker-tpm-issues.md | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md index 5ce692ae1d..aec78e2149 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md @@ -20,15 +20,15 @@ ms.custom: bitlocker This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues. -## Azure AD: Windows Hello for Business and single sign-on do not work +## Azure AD: Windows Hello for Business and single sign-on don't work -You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms: +You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms: -- Windows Hello for Business does not work. +- Windows Hello for Business doesn't work. - Conditional access fails. -- Single sign-on (SSO) does not work. +- Single sign-on (SSO) doesn't work. -Additionally, the computer logs an entry for Event ID 1026, which resembles the following: +Additionally, the computer logs the following entry for Event ID 1026: > Log Name: System > Source: Microsoft-Windows-TPM-WMI @@ -46,28 +46,27 @@ Additionally, the computer logs an entry for Event ID 1026, which resembles the ### Cause -This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys. +This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys. -Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token). +Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token). ### Resolution -To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication. +To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication. To resolve this issue, follow these steps to troubleshoot the TPM: 1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box. 1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions. -1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. -1. Contact the hardware vendor to determine whether there is a known fix for the issue. -1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). - +1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. +1. Contact the hardware vendor to determine whether there's a known fix for the issue. +1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). > [!WARNING] > Clearing the TPM can cause data loss. -## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use +## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use -You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following: +You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message: > Loading the management console failed. The device that is required by the cryptographic provider is not ready for use. > HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY @@ -84,11 +83,11 @@ These symptoms indicate that the TPM has hardware or firmware issues. To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0. -If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0. +If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0. -## Devices do not join hybrid Azure AD because of a TPM issue +## Devices don't join hybrid Azure AD because of a TPM issue -You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail. +You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail. To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded: @@ -99,11 +98,11 @@ If the value of **AzureADJoined** is **No**, the join operation failed. ### Causes and Resolutions -This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table: +This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table: |Message |Reason | Resolution| | - | - | - | -|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. | +|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. | |TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | |TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | |NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |